Crawlsonar
Security & HTTPS2 min readUpdated 2026-07-09

How to add HTTP security headers (HSTS, CSP and more)

A practical guide to the HTTP security headers every site should send — what each one does, safe values to start with, and how to roll them out without breaking things.

HTTP security headers are instructions your server sends with every response that tell the browser to enforce protections — forcing HTTPS, blocking clickjacking, limiting what scripts can run. They're free defence-in-depth, and most take one line of server or CDN config.

The headers that matter#

HeaderWhat it doesSafe starting value
Strict-Transport-SecurityForces HTTPS for future visitsmax-age=63072000; includeSubDomains
X-Content-Type-OptionsStops MIME-type sniffingnosniff
X-Frame-OptionsBlocks clickjacking via iframesDENY
Referrer-PolicyLimits referrer leakagestrict-origin-when-cross-origin
Permissions-PolicyDisables unused browser featurescamera=(), microphone=(), geolocation=()
Content-Security-PolicyControls what can load/runsee the CSP guide

HSTS: force HTTPS#

HSTS tells browsers to only ever use HTTPS for your domain, defeating downgrade attacks. Start with a long max-age and includeSubDomains:

Strict-Transport-Security: max-age=63072000; includeSubDomains
Watch out: Only add preload (and submit to hstspreload.org) once every subdomain reliably serves HTTPS — preload is hard to undo and applies to all subdomains.

Roll out safely#

  1. Add the unambiguous headers first (nosniff, X-Frame-Options, Referrer-Policy, Permissions-Policy, HSTS) — they rarely break anything.
  2. Add CSP last and in Content-Security-Policy-Report-Only mode first, so violations are reported but nothing is blocked.
  3. Watch the reports, fix legitimate blocks, then switch CSP to enforcing.

Set them at your CDN/edge or server. Generate a ready-to-paste set (raw, nginx or Apache) with the Security Headers Generator, then confirm they're live with the HTTP Header Checker.

Frequently asked questions

Which security header should I add first?

Start with the ones that never break anything: X-Content-Type-Options: nosniff, X-Frame-Options: DENY, a Referrer-Policy, a Permissions-Policy, and HSTS (without preload). Add Content-Security-Policy last, in report-only mode.

Where do I set HTTP headers?

At your CDN/edge (Cloudflare, Fastly, Vercel), your web server (nginx, Apache), or in your app framework. Setting them at the edge applies them everywhere at once.

Do security headers slow down my site?

No — they're a few extra bytes per response and enforced by the browser. The only one that needs care is CSP, because a wrong policy can block your own resources; roll it out in report-only mode first.

Do it with a free tool

Related guides

Published 2026-07-09 · Updated 2026-07-09 · By Crawlsonar.